Cybersecurity remains a top concern for community banks. The October 2021 report Community Banking in the 21st Century from the Conference of State Bank Supervisors (CSBS), indicates that more than 80% of bankers ranked cybersecurity risk as “very important,” which was more than double the rate for any other type of operational risk.
With that in mind, I spoke with three ICBA ThinkTECH Accelerator alumni who specialize in cybersecurity: Zach Duke, CEO of Finosec; Tim Evans, co-founder and senior vice president at Adlumin; and David Shipley, CEO of Beauceron Security to get their take on new developments. The following provides insights into our conversation and a deeper look at what community banks want to consider as they evaluate today’s threats.
Duke: One of the biggest challenges we see is managing employee access to banking systems. [Often] … employees have more access than they need to perform their job at the bank. For example, when an employee clicks on a phishing attack link, the bank should limit the types of actions and changes performed by managing employee access with the principle of least privilege.
Evans: The first step and key factor in monitoring protocols is to ensure that you are ingesting all of the enterprise network security logs (i.e., laptops, desktops, servers, firewall logs, VPN logs, and Office 365). Step two is to apply artificial intelligence and machine learning across the organization’s network data stream; this will find those activities that show anomalous or malicious activity. Finally, the organization needs to have personnel who manage these alerts.
Shipley: The most important thing a bank can do to prevent cyberattacks targeting customer accounts is to create a culture where it’s not only okay, but consistently encouraged, to ask questions and challenge requests. The biggest digital fraud attempt in history, the 2016 Bangladesh National Bank Cyber Heist, was ultimately discovered by a diligent U.S. Federal Reserve Bank employee. While initial batches worth more than $100 million had already been sent out, the fraudsters were ultimately denied a billion-dollar payday because the employee noticed a typo in the request and halted subsequent transfers.
Duke: Risk assessments are the best organizational practice to implement. As technologists, let alone cybersecurity professionals, we tend to make cybersecurity overly complicated. Community bankers understand risk management; it is at the core of what makes a bank successful. By creating an effective risk assessment process, a bank can change the cybersecurity culture and posture of the organization.
Evans: While cybersecurity training for all staff is a critical piece of network security, 24/7 continuous monitoring of all enterprise network traffic and security logs is probably the single most important practice a community bank can implement to protect against ransomware-style attacks. An organization's ability to know what is normal and what is anomalous on its network is the only way to recognize activity that could result in a breach of the network.
Shipley: We must balance our investments in cybersecurity technology with investments in our people. Right now, 99 cents out of every dollar spent on security goes towards cybersecurity technologies for defenses or consulting services. Yet 90% of cyberattacks start with attacks that specifically target our people.
Duke: The most significant opportunity I see is to create a culture of communication and collaboration within our industry. Leveraging ICBA’s Operational Risk Resource Center, the vendor community, and peer bankers are great places to start.
Evans: Each person's access to your network and systems should be commensurate with the need to perform their task. For example, if a vendor needs to do work inside the network for a few hours each month, a network administrator should give that third-party vendor one day of access per month rather than unlimited 24/7/365 access.
Shipley: Community banks have an amazing opportunity to deepen relationships with customers by sharing cybersecurity knowledge, advice, and best practices. People trust their community banks, and the bank’s brand inherently includes security.
Duke: Community banks can create a culture of cybersecurity governance and oversight inside the institution that permeates from the bank leadership. When the bank's leadership manages cybersecurity as a risk mitigation process, the institution's cybersecurity posture is greatly enhanced.
Evans: A network owner should map out each of its security applications, firewalls, and other security devices to determine the relevant network information each provides. A network owner should also determine what relevant information is missing and where there are gaps in visibility. Additionally, providing this information to the Board of Directors for oversight is critical.
Shipley: The single most important measure for community banks to bolster their defenses against future attacks is to educate and empower their staff. Teaching your team how – and more importantly – why – to report a suspicious e-mail or to question a transaction can make all the difference.
Duke: One of the best questions to ask the bank's information security and cybersecurity team is “what areas of cybersecurity governance are complicated or completed manually?” By understanding these manual and overly complicated processes the bank can begin to evaluate alternatives that increase the efficiency and effectiveness of the cybersecurity program.
Evans: There is no silver bullet to stop all cyberattacks. The real key to network security is understanding your enterprise network ecosystem. Doing an analysis of each of your network security tools will give you a better idea of what you are missing. Understanding where your most sensitive data is located will help you understand network security gaps as well.
Shipley: With the power of new technologies comes new risk. It’s important to think through how new process improvements, services or technologies that are part of your bank’s digital transformation can introduce new risks. Learning from the mistakes of others that have led to trillion-dollar cybercrime losses can help you understand and mitigate risks.
Joel Williquette is ICBA senior vice president of operational risk policy.